At 5/8/13 01:08 PM, egg82 wrote:
At 5/8/13 02:33 AM, TheNavigat wrote:
What I'm saying (as an approach) here, is to connect the first SWF (which is the client one, the game itself), to the second SWF (which has access to the PHP script). The second SWF has allowDomain implemented, so only the first SWF will work, and even if it's decrypted, the guy can't send anything to the second SWF. I guess that's kinda secure :/ The problem is preventing any access of the second .SWF though, I believe :/Flash doesn't quite work that way. In order to be a Flash server (use the ServerSocket and DatagramSocket classes) the server would need to be a desktop AIR application, and you would still need to load a policy file from that server.
Plus that the PHP script itself allows specific actions. The second SWF sends POST requests, and not SQL statements.
I'm lost again, I guess.
If you're interested in source code on how that works, check here.
On a side note, if the swf is on the same site (the same computer?) as the content it's accessing, it doesn't need to go through the security hoops.
Also, the on-site swf can be downloaded quite easily. Don't count on that as being secure, Flash is NOT a server-side anything.
PHP's slow and it's easy to create insecure code, but it works I suppose.
First rule of security is to think that every person in the world is the spawn of satan and wants to destroy you website using every method imaginable, and you're the only person stopping them.
Yeah, security's a tad depressing.
I'm a PHP freelancer on the other hand, so yea I know these stuff, and I always make very secured apps, fortunately, up till now, they were never hacked, not even "altered", but when I saw flash, it was a big block and I figured out that it will be semi-impossible to make it completely secured, like the apps I made. The definition of "completely secured" for me is that I'll be sitting there knowing that every single way of breaking an app that I know won't work, but for Flash it's different, I'm like "Oh, I know that the guy can do X, Y and Z. Let's just hope he isn't that much good, or patient".
The Flash SWF isn't the server, it CONTACTS the server. The problem is, how can the server confirm that it's indeed the game? That's the whole thing.
Also, PHP is EXTREMELY secured if the right guy's doing the right job ;)